Red Hat Training

6.8. Creating Audit Reports

The aureport utility allows you to generate summary and columnar reports on the events recorded in Audit log files. By default, all audit.log files in the /var/log/audit/ directory are queried to create the report. You can specify a different file to run the report against using the aureport options -if file_name command.

Example 6.8. Using aureport to Generate Audit Reports

To generate a report for logged events in the past three days excluding the current example day, use the following command:

~]# aureport --start 04/08/2013 00:00:00 --end 04/11/2013 00:00:00

To generate a report of all executable file events, use the following command:

~]# aureport -x

To generate a summary of the executable file event report above, use the following command:

~]# aureport -x --summary

To generate a summary report of failed events for all users, use the following command:

~]# aureport -u --failed --summary -i

To generate a summary report of all failed login attempts per each system user, use the following command:

~]# aureport --login --summary -i

To generate a report from an ausearch query that searches all file access events for user ID 1000, use the following command:

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.